To prevent a Distributed Denial of Service (DDoS) attack, you can drop traffic that is destined for IPv6 subnet-router anycast addresses.
RFC 4291 requires that all devices support an IPv6 subnet-router anycast address, which is defined by an all-zero subnet prefix. Traffic sent to an IPv6 subnet-router anycast address is delivered to one device on the subnet. Devices are required to support subnet-router anycast addresses for the subnets to which they have interfaces.
The IPv6 subnet-router anycast address is used by applications in which a node needs to communicate with any one of the set of devices. However, this functionality creates a vulnerability whereby a DDoS attack can send traffic to the IPv6 subnet-router anycast address.
You can use the ipv6 subnet-zero drop command to drop traffic that is destined for the IPv6 subnet-router anycast address. For more information, see Drop IPv6 Subnet-router Anycast Address Traffic.